All of the string transformation is done before the string hits the request
processor so tricking the request processor is more difficult.
At this time AOLServer and OpenACS is not a big target for script kiddies
due to the fact that it doesn't have a big market share.
If an exploit does show up related to the request processor it should be easy
enough to add a filter to block it. Probably 15 minutes work for an
experienced AOLServer/TCL/OpenACS programmer.
I'm not very familiar with the specifics of OpenACS 4's request processor so I
won't try to say whether it is safe or not. From a quick look at it it appears
complex and any complex piece of code is more vulnerable to subtle errors or
unpredicted functionality.